hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-24 04:36:35 +01:00
Code Issues Packages Projects Releases Wiki Activity

move path-injection MaD to PathInjectionCustomizations.qll

Browse Source
This commit is contained in:
Erik Krogh Kristensen
2022-05-05 16:51:39 +02:00
parent 2292dc5a45
commit efe306733e
4 changed files with 16 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
python/ql/lib/semmle/python/Concepts.qll
View File

@@ -62,14 +62,6 @@ module FileSystemAccess {
/** Gets an argument to this file system access that is interpreted as a path. */
abstract DataFlow::Node getAPathArgument();
}
private import semmle.python.frameworks.data.ModelsAsData
private class DataAsFileAccess extends Range {
DataAsFileAccess() { this = ModelOutput::getASinkNode("file-access").getARhs() }
override DataFlow::Node getAPathArgument() { result = this }
}
}
/**

4
python/ql/lib/semmle/python/frameworks/Asyncpg.qll
View File

@@ -38,8 +38,8 @@ private module Asyncpg {
"asyncpg;~Connection;Member[copy_from_query,execute,fetch,fetchrow,fetchval].Argument[0,query:];sql-injection",
"asyncpg;~Connection;Member[executemany].Argument[0,command:];sql-injection",
// A model of `Connection` and `ConnectionPool`, which provide some methods that access the file system.
"asyncpg;~Connection;Member[copy_from_query,copy_from_table].Argument[output:];file-access",
"asyncpg;~Connection;Member[copy_to_table].Argument[source:];file-access",
"asyncpg;~Connection;Member[copy_from_query,copy_from_table].Argument[output:];path-injection",
"asyncpg;~Connection;Member[copy_to_table].Argument[source:];path-injection",
// the `PreparedStatement` class in `asyncpg`.
"asyncpg;Connection;Member[prepare].Argument[0,query:];sql-injection",
]

6
python/ql/lib/semmle/python/security/dataflow/PathInjectionCustomizations.qll
View File

@@ -59,6 +59,12 @@ module PathInjection {
FileSystemAccessAsSink() { this = any(FileSystemAccess e).getAPathArgument() }
}
private import semmle.python.frameworks.data.ModelsAsData
private class DataAsFileSink extends Sink {
DataAsFileSink() { this = ModelOutput::getASinkNode("path-injection").getARhs() }
}
/**
* A comparison with a constant string, considered as a sanitizer-guard.
*/

16
python/ql/test/library-tests/frameworks/asyncpg/test.py
View File

@@ -7,11 +7,11 @@ async def test_connection():
try:
# The file-like object is passed in as a keyword-only argument.
# See https://magicstack.github.io/asyncpg/current/api/index.html#asyncpg.connection.Connection.copy_from_query
await conn.copy_from_query("sql", output="filepath") # $ mad-sink__sql-injection="sql" mad-sink__file-access="filepath" getAPathArgument="filepath"
await conn.copy_from_query("sql", "arg1", "arg2", output="filepath") # $ mad-sink__sql-injection="sql" mad-sink__file-access="filepath" getAPathArgument="filepath"
await conn.copy_from_query("sql", output="filepath") # $ mad-sink__sql-injection="sql" mad-sink__path-injection="filepath"
await conn.copy_from_query("sql", "arg1", "arg2", output="filepath") # $ mad-sink__sql-injection="sql" mad-sink__path-injection="filepath"
await conn.copy_from_table("table", output="filepath") # $ mad-sink__file-access="filepath" getAPathArgument="filepath"
await conn.copy_to_table("table", source="filepath") # $ mad-sink__file-access="filepath" getAPathArgument="filepath"
await conn.copy_from_table("table", output="filepath") # $ mad-sink__path-injection="filepath"
await conn.copy_to_table("table", source="filepath") # $ mad-sink__path-injection="filepath"
await conn.execute("sql") # $ mad-sink__sql-injection="sql"
await conn.executemany("sql") # $ mad-sink__sql-injection="sql"
@@ -69,10 +69,10 @@ async def test_connection_pool():
pool = await asyncpg.create_pool()
try:
await pool.copy_from_query("sql", output="filepath") # $ mad-sink__sql-injection="sql" mad-sink__file-access="filepath" getAPathArgument="filepath"
await pool.copy_from_query("sql", "arg1", "arg2", output="filepath") # $ mad-sink__sql-injection="sql" mad-sink__file-access="filepath" getAPathArgument="filepath"
await pool.copy_from_table("table", output="filepath") # $ mad-sink__file-access="filepath" getAPathArgument="filepath"
await pool.copy_to_table("table", source="filepath") # $ mad-sink__file-access="filepath" getAPathArgument="filepath"
await pool.copy_from_query("sql", output="filepath") # $ mad-sink__sql-injection="sql" mad-sink__path-injection="filepath"
await pool.copy_from_query("sql", "arg1", "arg2", output="filepath") # $ mad-sink__sql-injection="sql" mad-sink__path-injection="filepath"
await pool.copy_from_table("table", output="filepath") # $ mad-sink__path-injection="filepath"
await pool.copy_to_table("table", source="filepath") # $ mad-sink__path-injection="filepath"
await pool.execute("sql") # $ mad-sink__sql-injection="sql"
await pool.executemany("sql") # $ mad-sink__sql-injection="sql"